TZUTC: -0500   
   MSGID: 67.consprcy@1:2320/105 2c0a0d66   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   A cracked malicious version of a Go package lay undetected online for years   
      
   Date:   
   Wed, 05 Feb 2025 16:04:00 +0000   
      
   Description:   
   Someone's been abusing GitHub's Go Module Mirror service, allowing the attack   
   to persist.   
      
   FULL STORY   
   ======================================================================   
    - Someone forked a popular database module and fitted it with malware   
    - The malicious fork was then cached and stored indefinitely   
    - It was then creatively hidden in plain sight to target Go developers   
      
   A software supply chain attack targeting developers on the Go platform was   
   apparently hiding in plain sight for three years to spread malware , experts   
   have warned.    
      
   Cybersecurity researchers from Socket Security uncovered and publicly spoke   
   about the campaign, which started back in 2021, when someone took a    
   relatively popular database module called BoltDB on GitHub and forked it. In   
   the fork, they added malicious code, which granted the attacker backdoor   
   access to compromised computers.    
      
   That instance was then cached indefinitely by the Go Module Mirror service.   
      
   Abusing Go Module Mirror    
      
   For those unfamiliar with Go Module Mirror, it is a proxy service operated by   
   Google that caches and serves Go modules to improve reliability,    
   availability, and performance. It ensures that Go modules remain accessible   
   even if the original source is modified, deleted, or becomes temporarily   
   unavailable.    
      
   After the instance was cached, the attacker changed the Git tags in the    
   source repository, to redirect visitors to the benign version, essentially   
   hiding the malware in plain sight.    
      
   "Once installed, the backdoored package grants the threat actor remote access   
   to the infected system, allowing them to execute arbitrary commands,"    
   security researcher Kirill Boychenko said in his report .    
      
   Speaking to TheHackerNews , Socket said this is one of the earliest recorded   
   instances of threat actors taking advantage of the Go Module Mirror service.    
      
   "This is possible because Git tags are mutable unless explicitly protected,"   
   Socket said. "A repository owner can delete and reassign a tag to a different   
   commit at any time. However, the Go Module Proxy had already cached the   
   original malicious version, which was never updated or removed from the    
   proxy, allowing the attack to persist."    
      
   The malicious version ended up permanently accessible through the Go Module   
   Proxy, Boychenko explained. "While this design benefits legitimate use cases,   
   the threat actor exploited it to persistently distribute malicious code   
   despite subsequent changes to the repository."    
      
   Boychenko said that he reported his findings and awaits for the removal of    
   the malicious content: As of this publication, the malicious package remains   
   available on the Go Module Proxy. We have petitioned for its removal from the   
   module mirror and have also reported the threat actors GitHub repository and   
   account, which were used to distribute the backdoored boltdb-go package.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/a-cracked-malicious-version-of-a-go-pac   
   kage-lay-undetected-online-for-years   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426